Professional Documents
Culture Documents
NOTE
Introduction
We live in a world of passwords. We use them for everything: to ac-
cess our e-mail and credit cards; to read content on LexisNexis and
ESPN.com; to chat with our friends on America Online and Yahoo!. We
have so many of them it can be easy to forget which password belongs to
which service. Because of their ubiquity, we also tend to reuse our pass-
words. The password to access my e-mail, for instance, is the same
password I use to access LexisNexis. The ubiquity of passwords, how-
ever, has given rise to an entire criminal enterprise focused on acquiring
them. Criminals reason, rightly so, that if they have acquired one
* Georgetown University Law Center, JD May, 2006. The author would like to thank
Professor Neal Kumar Katyal for his assistance.
335
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
password, they have access to much of what you do.1 Consequently, se-
curity experts have suggested for years that to increase security,
computer users should vary their passwords frequently, and use different
passwords for different services.2 Few take this advice.3 In a world built
on access and information, the password has become the ultimate skele-
ton key.
While stealing passwords is not a new crime, in the world of Internet
theft, it has taken on new dimensions. In general, identifying the victim
of criminal behavior on the Internet has become increasingly difficult.
Traditional notions of criminal deterrence—from both economic and
sociological perspectives—have become skewed in a world where even
the criminal does not necessarily know who he is criminalizing.4 The
anonymous nature of the Internet, where the identity of criminals can be
obscured, and the identity of the victims is often unknown even to the
criminals, has elicited a number of proposals from scholars.5 These pro-
posals have ranged from regulating the very code of cyberspace6 to
acquiescence in the face of Internet’s anarchic nature.7 The threat of
stealing a password—a sequence of digits that may contain access to an
individual’s entire life savings and private thoughts—has given these
concerns a heightened sense of urgency.
In late 1999, the world got its first glimpse on a mass scale of the
difficulties Internet crime poses. Napster, with access to millions of
Internet users who had billions of directories containing countless
amounts of copyrighted material, created the world’s largest marketplace
for music theft.8 The astonishing feature of the Napster revolution, how-
ever, was not just its sheer size; it was the kind of people involved.
College students, who otherwise would not shoplift a candy bar, engaged
in widespread copyright theft, rationalizing their behavior on a variety of
1. See, Jack Seward, Always Look Both Ways—Especially When Using Digi-
tal/Electronic Communications, Am. Bankruptcy Institute J. July-Aug. 2005, at 40.
2. See, e.g., Computing and Network Serv., Univ. of Toronto, Computer Security Ad-
ministration, www.utoronto.ca/security/UTORprotect/passwd.htm (last visited Apr. 14, 2006).
3. Will Sturgeon, Passwords: How difficult can it be to get this right?, Silicon.com,
Mar. 9, 2005, http://software.silicon.com/security/0,39024655,39128518,00.htm.
4. See generally Gary Becker, Crime and Punishment: An Economic Approach, 76 J.
Pol. Econ. 69 (1968) (analyzing criminal behavior from an economic perspective); Michel
Foucault, Discipline and Punish 73–103 (Alan Sheridan trans., Vintage Books 1979) (1975)
(a sociological perspective on criminal behavior).
5. See generally, Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. Pa. L.
Rev. 1003 (2001); Lawrence Lessig, Code and Other Laws of Cyberspace, 46–7 (1999).
6. Lessig, supra note 5, at 85–86.
7. Dov Wisebrod, Controlling the Uncontrollable: Regulating the Internet, 4 Media &
Comm. L. Rev. 331 (1995), available at http://www.catalaw.com/dov/docs/dw-inet.htm.
8. For a legal discussion of why Napster’s actions constituted copyright infringement,
see A&M Records v. Napster, Inc., 284 F.3d 1091 (9th Cir. 2002).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
factors. While many griped about the expense of albums, the ease of ac-
cess, or the effect of peer pressure, the fundamental issue was quite
simple, if unstated: no one thought it was a crime. Put bluntly, copying
your friend’s music files was widely considered victimless, harmless.
Seven years later, there has been an astonishing turn around in the
public perception of music downloading. According to a recent study,
legal music downloading has tripled, while illegal downloading has
grown at a far slower pace.9 A 2004 Pew survey showed that illegal mu-
10
sic downloading is on the decline. Something happened between 1999
and the present that has changed people’s minds about music download-
ing. What was once an acceptable action, committed by almost every
college and high school student with a high-speed Internet connection, is
now viewed by millions as criminal.
Clearly a part of what happened in the Napster story is that people
began to view the act of downloading music freely as illegal. A signifi-
cant part of this was accomplished by shifting victimhood—instead of
thinking of it as harmlessly taking the music from someone’s computer,
people began to think of music downloading as stealing directly from the
record companies and artists. By putting themselves out in front as the
victims, the Recording Industry Association of America (RIAA) helped
reshape the governing norms of the times, and as a result, people viewed
the act of file-sharing differently.11 By forcing people to see music
downloading as a form of theft, the RIAA was quite successful in deter-
ring it. In the process, they also proposed a radical view of theft that
changes our basic economic understandings of the action.
The Napster story serves as a useful template for thinking about
password theft. If Tom steals Mary’s password to access her LexisNexis
account, there are two possible victims: Mary and Lexis. At first glance,
we would probably say Mary is the primary victim, but that is not alto-
gether clear. After all, Tom would probably argue that Mary can still
access LexisNexis even as he is using her password. And even if Lexis
were to design their software to deprive Tom and Mary of simultaneous
use, Tom is likely to argue that he is not really harming Mary because he
is only depriving her of the short period of usage when he is online: the
deprivation is not permanent. This problem is further complicated if,
rather than stealing her Lexis password, Tom borrows it from Mary with
her permission. In this case, Mary is no longer a victim, she is a
co-conspirator, and the real victim has become even further obscured. If
we think of LexisNexis as the victim in both scenarios, however, the an-
swer becomes clearer: in both cases Tom’s actions were criminal, and
Mary was his co-criminal in the second scenario.
This paper argues that the RIAA’s model for deterring music theft
could be successfully used to deter many other forms of computer theft,
and, specifically, stealing passwords. By focusing on the victim, content-
providers can alter people’s views of their own actions, thereby properly
bringing what was once an innocuous activity into the realm of the
criminal where it belongs. To accomplish this task, however, we have to
comport our traditional views of theft to the realities of the Internet.
First, economic notions of rivalry and non-rivalry are undermined in a
digital world where data is infinitely copyable, and these notions need to
be updated appropriately. Secondly, finding real space analogues to
password theft is important when locating an existing legal framework in
which to work. This Note attempts to do both.
Part I of this Note gives a brief background and explication of rival-
rous and non-rivalrous theft, and the problems that the Internet poses,
specifically in the music downloading area. In so doing, I propose a new
way of conceiving of rivalry that fits into the realities of digital net-
works. Part II is an analysis of password theft, in particular the
distinction between first-party and second-party password theft. First-
party password theft concerns actions—stealing personal identification
numbers and the like—that are probably familiar to most readers. Sec-
ond-party password theft, however, is a far more radical notion that is
crucial for understanding why password theft in general is criminal, and
why it can be so damaging. I analogize first and second-party password
theft to larceny and embezzlement, respectively; the purpose of this is to
provide a legal framework for analyzing password theft as a criminal
activity. Additionally, I show how the updated views of rivalry proposed
in Part I allow us to evaluate properly the harm that password theft
causes. Finally, Part III argues that by following the model of the RIAA,
the government, content-providers, and law enforcement can effectively
deter password theft in a variety of ways.
12. For a general introduction, see generally David A. Besanko & Ronald R. Braeuti-
gam, Microeconomics: An Integrated Approach 749 (2001).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
steals Frank’s car, the theft is rivalrous because John has taken the car
and deprived Frank of its usage. Non-rivalrous theft is theft that does not
deprive the victim of any usage. The classic example of non-rivalrous
theft is information. If Tom tries to sell information, and Frank steals it,
theoretically he is not depriving Tom of selling just as much information
as before. The theft, in other words, causes no depletion.13 The two mod-
els of theft therefore reflect two forms of goods: those that deplete and
those that do not.
Accordingly, theft that is not rivalrous, under the common law, is not
theft.14 The traditional laws regarding theft always required some form of
permanent deprivation, whether the theft was characterized as larceny or
15
embezzlement. Unauthorized use of information is usually protected by
copyright or intellectual property laws designed to encourage innovation
while preventing usurpation of ideas and free-riding.16 So if Frank photo-
copies Tom’s book and attempts to sell it as his own, his actions are
criminalized by copyright law, not the traditional laws of theft. Theoreti-
cally at least, Tom has not been deprived of anything—he can sell just as
many books as he had before. In contrast, if Frank walks into a book-
store and steals Tom’s book from the store, his theft has deprived the
bookstore of a book it could have sold. Because the law recognizes the
important public good that information represents, goods that do not de-
plete with theft—like information—are not accorded the same level of
protection as those goods that do.
In a digital world, however, this dichotomy begins to find itself on
shaky ground, as it becomes unclear who the law is supposed to protect.
In real space, information can easily be protected by copyright law, be-
cause it is readily apparent whom we are protecting—the innovators,
creators, and disseminators of that information.17 Digitization, however,
has allowed information to be replicated and disseminated faster and
13. See James Boyle, The Second Enclosure Movement and the Construction of the
Public Domain, L. & Contemp. Probs. Winter-Spring 2003, at 33, 41 (“By contrast, a gene
sequence, an MP3 file, or an image may be used by multiple parties; my use does not interfere
with yours. To simplify a complicated analysis, this means that the threat of overuse of fields
and fisheries is generally not a problem with the informational or innovational commons”);
Robert P. Merges et al., Intellectual Property in the New Technological Age, 13
(Aspen Law & Business, 2d ed. 2000).
14. See, e.g., Kansas v. Allen, 917 P.2d 848, 853 (Kan. 1996) (internal quotation marks
omitted) (“Theft . . . is not concerned with mere occupation, detention, observation, or tamper-
ing, but rather requires permanent deprivation. The intent required for theft is an intent to
deprive the owner permanently of the possession, use, or benefit of the owner’s property”).
15. Wayne R. LaFave, Criminal Law, §§ 19.2, 19.6 (4th ed. 2003).
16. See, e.g., Mark A. Lemley, Property, Intellectual Property, and Free Riding, 83 Tex.
L. Rev. 1031 (2005).
17. See 17 U.S.C. § 201(a) (2005) (establishing that the author of a work owns the
copyright).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
wider than ever before. Buying and selling information is no longer pro-
hibitively expensive, and copyright law has proven insufficient in
18
protecting holders. Furthermore, on digital networks it is harder to de-
termine who owns the copyright. In real space, when a consumer
purchases a book or CD, the copyright owner’s mark is stamped on the
product, and the consumer readily recognizes ownership of the copy-
right.19 The protection that the law accords to copyrighted material in this
setting is therefore lower than that accorded to rivalrous goods. On the
Internet, however, the copyright owner is not readily apparent; informa-
tion appears as anonymous digital files that may not bear any mark or
distinguishing feature, and users have no easy way of determining who
owns that particular file, let alone the copyright. The real space level of
protection accorded to copyrighted material is not sufficient in this envi-
ronment.
What actually happened in the Napster story was a profound shift in
an understanding of rivalrous versus non-rivalrous theft. From a tradi-
tional standpoint, downloading music should be viewed as non-rivalrous
theft—when Tom downloads music off of Frank’s computer, he never
deprived Frank, or anyone, of listening to that song or purchasing that
song. Theoretically, just as many songs could be purchased after the
download. The trouble with this construction is that it views Frank as the
victim, when in reality he is hardly a victim; if anything, by making his
music available on his computer, Frank is an enabler.20 When Napster
took off, this question of who the victim was had no apparent answer,
and that in large part fueled Napster’s popularity: music downloading,
21. Perhaps the most significant impact his actions may have is reducing Frank’s
bandwidth. Bandwidth theft is something not explored in this paper that probably should be at
some point. Briefly, access to the Internet is analogous to access to a highway—there are only
a certain number of lanes available for all of the data to traverse to get to where they are go-
ing. Any action taken over the Internet that involves sending or receiving data—basically
everything—uses up bandwidth. Some actions take up very little bandwidth—checking e-mail
or viewing a webpage, for instance. Others, like music downloading, can take up a great deal
of bandwidth. Assuming Frank pays for his Internet access, downloading music from his com-
puter can actually be rivalrous with respect to him, just not in the sense that he is deprived of
music in any way, but that he is deprived of the complete Internet access he purchased. For a
discussion of the legal aspects of bandwidth theft, see generally Declan McCullagh, FAQ: Wi-
Fi Mooching and the Law, CNET News.com, July 8, 2005, http://news.com.com/FAQ+Wi-
Fi+mooching+and+the+law/2100-7351_3-5778822.html?tag=sas.email (last visited Feb. 9,
2006). But see, Timothy B. Lee, Hop on My Bandwidth, N.Y. Times, Mar. 16, 2006, at A23
(arguing that bandwidth “piggy-backing” does not harm network owners or Internet service
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
providers). A man in Florida was recently arrested for unauthorized access to a computer net-
work. Rob Kelley, Man Charged with Wireless Trespassing, CNN/Money, http://
money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/ (last visited Feb. 9,
2006).
22. A study sponsored by the RIAA suggests that music retail sales near college cam-
puses—where the vast majority of Napster usage took place, due largely to the accessibility of
high-speed Internet access—plummeted during the years of Napster, by as much as 88%.
Michael Fine, Soundscan, Report of Michael Fine (June 10, 2000),
http://www.riaa.com/news/filings/pdf/napster/fine.pdf; See also BBC News Online, Q&A:
Music Downloading, http://news.bbc.co.uk/1/hi/entertainment/music/3582621.stm (last visited
Apr. 13, 2006).
23. The following fact pattern is based on Konop v. Hawaiian Airlines, Inc., 302 F.3d
868 (9th Cir. 2002).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
and Konop decided to employ a different tack to get other union mem-
bers to see his point of view—he started a website.
Konop’s website was no ordinary website that average Internet users
visit everyday. Recognizing the sensitive nature of his website’s con-
tent—he could lose his job over this, after all—Konop restricted access
to his website. Prior to being able to view any of the website’s content, a
potential user had to log on by entering his name; that name had to be on
a list of Hawaiian pilots and employees composed by Konop. Once the
user was logged in, the user created a password that would allow the user
to return to the website. Thus, Konop was able to ensure that the only
people viewing his website were fellow employees that he selected; no
one from the ALPA’s current leadership, no unwanted lawyers, and cer-
tainly no one from Hawaiian management. In addition, one of the terms
for viewing the website prohibited approved users from disclosing the
contents of the website to others. Konop, as webmaster, had designed a
space where he, and others who shared his views, could freely express
their displeasure with Hawaiian Airlines and their union leadership with-
out fear of retaliation.
James Davis was a Hawaiian Airlines vice president when Robert
Konop set up his website, and, having learned of its existence, he wanted
to see its contents for himself. However, because of Konop’s design fea-
tures, Davis could not do so without literally hacking the site. Instead he
did something quite obvious and quite devious—he used someone else’s
name. Using the names of two other pilots who were on Konop’s ap-
proved list—after having procured their permission—Davis was able to
gain access to Konop’s site and view its contents for himself.24 He re-
layed what he found to Hawaiian Airlines president Bruce Nobles, who
25
contacted the ALPA leadership personally to discuss the matter.
Konop, after having been contacted by the ALPA leadership and
temporarily taking his website offline, refused to relent and continued to
operate his website as before. His records indicated that over the next
four months, Davis logged onto his website at least 34 times as one of
the two pilots whose names he was using. Eventually, Konop was placed
on medical suspension. As a result, Konop sued, alleging state tort
claims, violation of the federal Wiretap Act, the Stored Communications
Act (SCA), and the Railway Labor Act. The district court granted sum-
mary judgment claim on all but one claim, and entered judgment against
Konop on the last one after a short bench trial. Konop appealed to the
24. As I argue below, that James Davis was able to procure the pilots’ permission
should not matter, as in this case, the pilots had no permission to give. See infra Part II.B.1.
25. Apparently, Konop had accused Nobles of suspicion of fraud, and published various
other disparaging comments.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Ninth Circuit. With the exception of one claim, however, the Ninth Cir-
cuit affirmed the dismissal.
Robert Konop’s story is an interesting starting point for a discussion
of password theft because it presents some of the major problems facing
law enforcement and courts in defining theft in the digital age. Specifi-
cally, the Konop story raises two problems that arise in most password
theft cases: identifying the victim and evaluating how the victim was
harmed.
The victim in this case was obviously Robert Konop. But, as I argue
below, when taken out of the context of personal websites and employ-
ment retaliation, that question becomes harder to answer. Finding the
victim in these cases is incredibly important if the law is to effectively
deter password theft. James Davis harmed Konop by using two pass-
words that had been lent to him without Konop’s permission to log onto
his website. In a sense, Davis defrauded the computer—he convinced it
that “he” was “someone else”; this is classic fraud in the inducement.26
Identifying who owns the password becomes critical in answering the
first question: who is the victim. As for the second issue, the harm suf-
fered by Robert Konop was very real: he could have lost his job. He may
have been placed on medical suspension as a result of this website,
which certainly cost him money. More fundamentally, his privacy was
invaded. The harm caused by password theft very often impairs a pecu-
niary or a dignity right.
What we have here, then, is a criminal act: a perpetrator defrauded
the victim’s computer and impaired the victim’s dignity. Password theft,
however, is not a unary crime; it comes in two forms, depending on the
nature of the password. The discussion that follows details first and sec-
ond-party password theft.27 The distinction between the two rests on who
holds the password when it is stolen—the person to whom it belongs
(the first party), or the person to whom it is entrusted (the second party).
First-party password theft concerns crimes that are quite familiar—
identity theft, monetary theft, mail theft—and are clearly analogous to
the common law crime of larceny. Indeed the jurisprudence that has
arisen around first-party password theft has followed that course, and has
had relatively little difficulty in adapting to the Internet.
Second-party password theft, however, concerns crimes that are not
as obvious—unauthorized access, password sharing, and the like. Two
recent famous examples of second-party password theft both coinciden-
26. See Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization”
in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1654–55 (2003).
27. There is a third form of password theft that is a hybrid of the first two that is not
discussed in this paper.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
28. CNN.com, Princeton Accused of Ivy League Hacking, CNN.com, July 25, 2002,
http://archives.cnn.com/2002/US/07/25/yale.princeton.
29. Robert Weisman, Harvard Rejects 119 Accused of Hacking: Applicants’ Behavior
Unethical at Best, Boston Globe, Mar. 8, 2005, at D1.
30. Indeed Yale considered pressing charges against Princeton, although it never did.
31. See Weisman, supra, note 29.
32. See discussion supra, Part I.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
account. Law enforcement and courts have recognized this, and have
acted accordingly.33 The use of a computer is merely a different instru-
mentality for the same underlying illicit purpose: acquiring someone
else’s property.
In the case of harm to a dignity or privacy interest, the harm is char-
acterized as an unwarranted invasion of privacy. Stealing Tom’s
password to read his private e-mail is no different than opening his real
space mail. Both involve invading his privacy and harming either or both
of his dignity and privacy. Even though his e-mail may reside on a third
party’s server, he clearly has a reasonable expectation of privacy with
respect to its contents, and the law should punish unwanted intrusions.34
In both cases, the harm is directly inflicted on the party who owns
the password. When Frank signs up for a checking account with Citi-
bank or for e-mail with America Online, a password is given to him by
the service provider so that he can access something—in this case his
money or his correspondence—that belongs to him. When a criminal
steals Frank’s password, therefore, he takes something that belongs to
Frank; the act contains clear real space analogues to common law lar-
ceny. Larceny, according to Wayne LaFave, consists of a trespassory
taking of the personal property of another.35 In the case of first-party
password theft, because the user actually owns the password, when it is
taken by the thief, the thief’s action constitutes a prima facie case of lar-
ceny.
The existence of real space analogues has allowed law enforcement
to easily adapt larceny to an Internet-based environment in shaping pref-
erences and characterizing first-party password theft as criminal.36 A
perfect example of the law’s proper adaptation of common law larceny
37
to first-party password theft is Oregon v. Schwartz. In Schwartz, the
defendant used a program to guess the access password to some of the
38
plaintiff’s computer systems. The defendant proceeded to store the in-
33. See Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a) (2004). See also United
States v. Petersen, 98 F.3d 502, 505 (9th Cir. 1996) (holding that defendant violated Computer
Fraud and Abuse Act when he hacked into the computer of a financial company and illegally
transferred funds into his own personal account).
34. See Quon v. Arch Wireless Operating Co., Inc., 309 F. Supp. 2d 1204, 1211 (C.D.
Cal. 2004); United States v. Sims, No. CR 00-193 MV, 2001 U.S. Dist. LEXIS 25819 (D.N.M.
April 19, 2001).
35. See LaFave, supra note 15, at § 19.2.
36. Compare Mesh v. Elenbogen Safe Deposit Co., 220 Ill. App. 351, 354 (App. Ct.
1920) (holding that allowing a third party to access the plaintiff’s safety deposit box amounts
to larceny) with Oregon v. Schwartz, 21 P.3d 1128, 1136–37 (Or. Ct. App. 2001) (holding that
access passwords to defendant’s computer systems had independent value, and the defendant’s
unauthorized use constituted theft).
37. Schwartz, 21 P.3d at 1135–37.
38. Id.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
43. See People v. Johnson, 560 N.Y.S.2d 238 (Crim. Ct. 1990); Pennsylvania v. Dela-
paz, 796 A.2d 364 (Pa. Super. Ct. 2002).
44. Johnson, 560 N.Y.S.2d at 243–44.
45. Id. at 240.
46. Id.
47. Id. at 243.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Tom owns it: he merely possesses it to access their databases. His usage
is contingent on certain contractual obligations to which he agrees, one
of which is that he agrees not to give the password to anyone else. There-
fore, Tom’s giving it to a friend to use, innocent though it may be with
respect to Tom, is actually a form of conversion, or embezzlement.48 The
purveyor of the password can justify his act just like the Napster user
can—the user’s use has not harmed anyone. Additionally, the user was
unlikely to pay for the service, just as the Napster user, in the service’s
absence, was unlikely to buy the music. Using embezzlement as a real
space analogue to second-party password theft provides the most fruitful
way for law enforcement and courts to effectively characterize it as
criminal.49
Second-party password theft is characterized by a party giving a
password to another entrusted user for that user’s benefit. In the language
of embezzlement, lending an entrusted password to an unauthorized user
is a “fraudulent conversion.”50 In real space embezzlement, courts have
construed this element broadly to encompass a wide range of fraudulent
51
activities. One court in New Mexico, for instance, has characterized
fraudulent conversion as “when a person having possession of another’s
property treats the property as his own, whether he uses it, sells it, or dis-
cards it, he is using the property for his own purpose . . . the gravaman of
conversion is interfering with the rights of the owner, either to the property
itself or to the benefit from the manner in which the property was sup-
posed to have been used. The details of the interference are less important
than the interference itself.”52 Lending a password that has been entrusted
probably falls into this category as well. A password that has been
48. Kerr, supra note 26, at 1644–46. Kerr argues that this action should be governed by
civil liability, rather than criminal liability. I respectfully disagree with his position. Kerr rests
his argument on the assumption that finding criminal liability in this case would criminalize
behavior that millions of Internet users engage in everyday. But the same was true of music
downloading, and modest gains have been made in that area by characterizing that activity as
criminal. In addition, the goal of criminal law should be to deter future criminal behavior, not
to rationalize away past criminal behavior.
49. See LaFave, supra note 15, at § 19.6. According to LaFave, embezzlement evolved
because the law recognized that requiring a trespassory taking for larceny created a massive
loophole in the age of corporate agents: agents, who had rights to use corporate assets, would
use them for their own personal benefits, at the expense of the corporation. Because they had
access to these assets, their actions could not be characterized as trespassory, a crucial element
in a larceny claim. Embezzlement was created to fill that hole. Rather than require a trespas-
sory taking, legislatures required a fraudulent conversion of the property of another.
50. Id.
51. See, e.g., New Mexico v. Archie, 943 P.2d 537, 540 (N.M. Ct. App. 1997) (holding
that a convict who took off an electronic monitoring bracelet and threw it away was guilty of
embezzlement, because ownership of the bracelet resided with the state, and he was merely
entrusted with its use).
52. Id. (interior quotation marks omitted).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
60. Id., at 356 (“[W]ebsite owners . . . can ensure that they have fulfilled the $5000
statutory threshold. All a website owner need do is to hire a firm to conduct a ‘damage as-
sessment’ following detection of robotic activity”).
61. Pub. L. No. 107–56, § 814, 115 Stat. 272, 382–84 (2001).
62. See Introduction supra.
63. To avoid economic substitution effects, the law could easily stratify the penalties of
password theft based on the severity of the theft.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Conducting the analysis in this fashion also dovetails nicely with the
dual rivalrous and non-rivalrous nature of Internet theft. If Tom steals
Mary’s Lexis password, we have seen that by following ownership in-
stead of possession, Tom is really stealing from LexisNexis, not Mary.
And economically this should be so. Tom’s theft is rivalrous with respect
to LexisNexis; it is permanently deprived of the account it could have
otherwise sold to Tom, and far more in the aggregate. On the other hand,
Tom’s theft is non-rivalrous with respect to Mary; his theft, whether with
her permission or without, has deprived her of nothing. At worst, she
may have to be reassigned a new password, or be deprived of access to
Lexis for a limited time. But the depletion is not permanent, and should
therefore not be considered theft with respect to her.64
Second-party password theft analysis would also deal with the Ko-
nop case far more effectively than the Ninth Circuit did.65 Robert Konop
was clearly the victim in the case, as it was his password to distribute,
and his harm was real, even if the pecuniary nature of that harm was de
minimis. Where the court erred, however, was in mistaking possession of
the password for ownership. Had it not done so, the perpetrators of the
crime would have been clear: the pilots. James Davis accessed Konop’s
website with passwords given to him by two pilots who had no right to
lend them. By “lending” their passwords to Davis, the pilots embezzled
those passwords, interfering with Konop’s right to determine ex ante
who had access to his website. Once a perpetrator is identified, Konop’s
harm becomes far more real and easy to evaluate, if difficult to quantify
precisely—his ownership right was fraudulently converted, and his pri-
vacy was invaded.
A. Public Education
One of the most effective tools deployed by the RIAA in the wake of
Napster was an aggressive public campaign to brand music downloading
as a criminal act.66 Television and print commercials focused on the hu-
man side of a multi-billion dollar industry, describing the people whose
jobs were lost because of illegal music downloading.67 Instead of pre-
senting platinum selling artists like Metallica and Britney Spears as the
victims, the RIAA used the lesser-known—and more modest—
employees of music companies who suffer as a result of rampant music
downloading. The consequence of these advertisements was nothing
short of staggering: illegal music downloading has plummeted in com-
parison to the rise of Internet usage since 1999.68
Internet content-providers should be deploying a similar campaign.
While it may be hard to garner much sympathy for a faceless corporation
like LexisNexis, it is amazing what branding something as criminal will
do in the court of public opinion. Putting human employees who face job
loss or pay cuts out front could also enhance the human factor. In any
event, Internet content-providers should band together to campaign
against password theft; because so few people consider second-party
password theft a crime, they can only improve.
66. See, e.g., Memorandum from Lee Rainie, et al., Pew Internet Project and Comscore
Media Metrix Data Memo on the State of Music Downloading and File-sharing Online (April
2004), http://207.21.232.103/pdfs/PIP_Filesharing_April_04.pdf (finding that the RIAA’s
campaign against those who download and swap music online has made an impact on several
major fronts).
67. See, e.g., Press Release, RIAA, Recording Industry Begins Suing P2P File Sharers
Who Illegally Offer Copyrighted Music Online (Sept. 8, 2003), http://www.riaa.com/news/
newsletter/090803.asp (“In addition, it [illegal downloading] threatens the jobs of tens of
thousands of less celebrated people in the music industry, from engineers and technicians to
warehouse workers and record store clerks”).
68. Compare Techweb.com, Survey, supra note 10 (describing Pew poll finding a sig-
nificant drop in illegal music downloads) with World Internet Usage and Population Stats,
http://www.internetworldstats.com/stats.htm (last visited Apr. 13, 2006) (indicating that Inter-
net usage has doubled in North America, and tripled in other parts of the world, since 2000).
69. Regan, Study, supra note 9.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
70. For an explanation of the strengths of fingerprint biometrics versus passwords, see
Walter S. Mossberg & Katherine Boehret, Using a Fingerprint to Log On to Your PC, Wall
St. J., Mar. 15, 2006, at D1. See also Rina C.Y. Chung, Hong Kong’s Identity Card: Data
Privacy Issues and Implications for a Post-September 11th America, 4 Asian-Pac. L. &
Pol’y J. 519, 540–42 (2003). But see, Lisa Jane McGuire, Banking on Biometrics: Your
Bank’s New High-Tech Method of Identification May Mean Giving Up Your Privacy, 33 Ak-
ron L. Rev. 441 (2000) (discussing the privacy implications of using biometric analysis for
user-identification).
71. See Neal Kumar Katyal, Architecture as Crime Control, 111 Yale L.J. 1039, 1060–
61 (2002) (arguing that in real space, one way the law can effectively deter criminal conduct is
by establishing clear, physical boundaries between public and private space).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
72. Cf. Michael J. Meurer, Copyright Law and Price Discrimination, 23 Cardozo L.
Rev. 55, 84–85 (2001) (applying economic price discrimination models to the copyright con-
text).
73. Id. at 85–86.
74. Id. at 59.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
C. Targeted Lawsuits
Lastly, the RIAA has been incredibly successful in deterring illegal
music downloading by attacking downloaders themselves, rather than
the peer-to-peer network providers. The reason this tactic has been so
successful is that by suing downloaders, it made a costless activity very
expensive. As Gary Becker has shown, the rate of detection and the se-
verity of punishment are largely interchangeable variables.76 Prior to the
lawsuits initiated by the RIAA, the chance of getting caught download-
ing music was zero, and the penalty was also zero. When the RIAA
started suing downloaders, the chance of getting caught was still incredi-
bly small—millions of people were downloading at the time, and
Internet Service Providers were loathe to distribute their names—but the
severity of the penalty had suddenly skyrocketed, especially compared to
the cost of just purchasing the album legally. Illegal downloading
dropped immediately.
A similar strategy may be successful for other Internet businesses. It
should be said that the potential for backlash here is tremendous: over-
deterrence can create massive marginal deterrence problems, as people
figure that if they are going to lend a password to one friend, they may as
well start a website and distribute them to millions. In addition, the court
of public opinion should not be underestimated either: if the strategy is
to educate people, content-providers should not be too aggressive in
prosecuting people who are probably truly ignorant of their criminal be-
havior. Targeting lawsuits against particularly egregious violators—those
who knowingly distribute passwords on a mass scale, for instance—
provides a measure of deterrence without compromising position in the
court of public opinion.
75. This is obviously easier to achieve in software sales than over the Internet. Micro-
soft, for example, sells a corporate version of its Office suite at a higher price that allows
multiple installations, while its home version of Office, while cheaper, only allows for a far
more limited number of installations. This feature is built into the code of the software. For a
discussion on building restrictions into digital architecture as a tool for law enforcement, see
Neal Kumar Katyal, Digital Architecture as Crime Control, 112 Yale L.J. 2261 (2003).
76. See Becker, supra note 4.
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Conclusion
Fortunately, the law has a path to follow in deterring password theft.
The RIAA has recognized the threat posed by Internet theft and has
made some significant advances in deterring it. While they have sus-
77
tained a great deal of criticism from certain quarters, they have also
been impressively effective, as the percentage of illegal downloaders has
dropped since Napster. The law, as well as Internet content-providers,
can draw some important lessons from the RIAA about the economics of
digital theft in its efforts to deter password theft.
By most measures, incidence of password theft is rising, not declin-
ing.78 As more people gain access to the Internet, and the Internet’s reach
broadens, the importance of passwords in the daily lives of hundreds of
millions of Internet users is also likely to increase. While technological
advances are being made in increasing the security of databases, the law
has lagged behind in identifying the key features of password theft and
what makes it unique among other Internet crimes. Distinguishing be-
tween first and second-party password theft, identifying the victim, and
properly evaluating the harm suffered are just the first steps in updating
the law to fit the realities of the Internet.